Credit to Arek Dreyer for these
If you need to access your MDM server from the "outside world" you need the following ports, all TCP
Web SSL: 443
Alternatively, if you don't need access from outside world to your MDM server you only need:
Without access to APNS, the whole profile pushing etc won't work.
Just for my clarification, please... For external access, must the Internet router have a static IP and those ports forwarded to the MDM server?
I was also wondering where in the process the device learns the external IP of the server to contact. I understand when there's an update/lock/wipe/etc. the server contacts the APNS, the APNS tells the device to contact the server, but how does the device know the address of the server?
Thanks for any additional info anyone can provide.
To answer your second question. I'd wager that it's during the enroll of the devices, that installs a profile on the device. From there it knows where it's MDM server is. With that in place, it simply receives push notifications which tell it, "oi! go fetch at the MDM". Haven't played around too much with it, but that's my guesstimate.
Re your first question. I'm about to actively play with it so then I'll probably know more, but in the meanwhile....
That should help you.
Finally, documentation that spells a lot of stuff out. Worth the $4.99.
Watch out when creating SSL certificate. Testing the PM now.
Thanks. It's a pain without proper documentation. We did get Profile Manager working, although within a closed network. It's quite slick when it works.
However, we need to access the devices over the Internet and cell network, so was wondering what exactly is required. The Profile Manager Help doc states the MDM server must have a static Internet IP. And with those ports open I would believe. We're just looking at doing that in the most secure manner.
For Profile Manager I opened/forwared these ports:
Port TCP 443 (https)
Port TCP 1640 (SCEP)
Port TCP 5223 (APNS)
Port TCP 2195 (APNS)
Port TCP 2196 (APNS)
This is an old post but it comes up in Google searches now and it's important people don't make firewall mistakes.
Ports 5223, 2195 and 2196 are for outbound purposes only and are only for contact with Apple's 188.8.131.52/8 network. Firewalls should lock these down to 184.108.40.206/8. Devices do not talk to your server on these ports. So you should not open these ports inbound to your network. Neither do you need to forward them in a NAT'd environment. Your server is the only thing which needs 2195 and 2196. The devices and the server will use 5223. They create outbound persistent connections to these. The connection to these will never be initiated inbound to devices or the server.
Your devices do need to contact your server on 443 and 1640.
They don't regularly communicate on those ports by themselves without prompting from you. Any time you save changes to the configuration profile(s), the devices will will told to go get the profile(s) by the APNS. So your devices will need to be able to access those ports any time you change the profiles. Additionally other information pulls from the devices that you might trigger will also require those ports to be open so that the devices can deliver the requested info to your server.
Perhaps, though, if you think your profiles are settled and you won't require regularly info updates from the devices then you could close those ports until needed again. Even if you wanted to lock or remote wipe the devices outside of your network, that should still work without those ports being open. For locking or remote wiping the APNS will deliver those instructions to the device. It doesn't need to dial home first in those cases.
I have configured MDM with Mountain Lion , Server Tools 2.2.1 , worked fine with iOS device (checked with iPad) worked fine.
But when I push to OSX devices, it stuck , ... lot of search on Google and found some threads that people had the same issues.
The solution was to open following ports:
o use Profile Manager, you should ensure that the following ports are open on your network.
Port TCP/UDP Description 2195, 2196 TCP Used by Profile Manager to send push notifications 5223 TCP Used to maintain a persistent connection to APNs and receive push notifications 80/443 TCP Provides access to the web interface for Profile Manager admin 1640 TCP Enrollment access to the Certificate Authority
But when I tried to open the ports (tried both text based and with ICE Flor)
sudo ipfw add 27860 allow tcp from any to any dst-port 2196
sudo ipfw add 27860 allow tcp from any to any dst-port 2195
add 78600 allow tcp from any to any dst-port 5223
When I use sudo lsof -i -P | grep -i "listen" , it didnot show me if the ports are open.